Find the answer to your Linux question:
Results 1 to 9 of 9
I've got a sticky problem that I can't seem to figure out. I have a server set up with samba on a windows domain. I have it working with security=ads, ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Dec 2010
    Posts
    5

    Samba with both domain and local users


    I've got a sticky problem that I can't seem to figure out. I have a server set up with samba on a windows domain. I have it working with security=ads, shares work fine with domain users.

    However, I have a share which I want to be available to non domain users. Basically, I have some machines on the network which are not joined to the domain and must stay that way for security reasons. Ideally, they should connect to the samba share as a local user (local to the server). Unfortunately, it seems like samba in ads mode cannot support this - it always uses the ad server for authentication.

    So I wanted to try using pam for authentication. I have pam working fine for ssh and gdm authentication, looking first for local users and then for domain users. However, when I set the same pam settings for samba, it doesn't seem to do anything at all. "obey pam restrictions = yes" is in my smb.conf file. I eventually figured out that if encrpyt passwords is on (which it is by default), then samba ignores pam authentication entirely. However, when I put "encrypt passwords = no", then I cannot seem to authenticate at all, either with a domain user or a local user, no matter what I set the security mode to.

    Have googled the problem with no luck. Does anyone have a good link or advice for how to get samba to authenticate via pam? Or any other way to have samba allow connections for both domain and local users? I'd be content with having the share open (not requiring authentication), but that doesn't seem to work either. Allowing guests and setting the guest account doesn't work because even if the share allows any user to get to it, samba still needs to authenticate the user with the AD server (at least in ads mode), meaning guest access will only work if the AD guest account is set up, which it is not.

  2. #2
    Just Joined!
    Join Date
    Dec 2010
    Posts
    5
    My smb.conf:
    [global]
    security = ads
    # obey pam restrictions = yes
    # encrypt passwords = no
    # guest account = nobody
    workgroup = MYDOMAIN
    realm = MYDOMAIN.COM
    password server = adserver.mydomain.com
    server string = File Server
    log file = /var/log/samba/%m.log
    max log size = 1000
    dns proxy = no
    winbind separator = /
    winbind enum users = yes
    winbind enum groups = yes
    winbind use default domain = yes
    winbind uid = 16777216-33554431
    winbind gid = 16777216-33554431
    create krb5 conf = no

    template shell = /bin/bash
    client use spnego = yes
    domain master = no

    admin users = @"MYDOMAIN/Domain Admins" MYDOMAIN/cberger
    invalid users = root bin daemon adm sync shutdown halt mail news uucp operator gopher
    inherit acls = yes
    map acl inherit = yes
    acl group control = yes

    #share definitions (removed)


    My /etc/pam.d/samba:
    #%PAM-1.0
    auth sufficient pam_unix2.so
    auth sufficient pam_winbind.so use_first_pass use_authtok
    auth required pam_nologin.so
    account sufficient pam_unix2.so
    account sufficient pam_winbind.so use_first_pass use_authtok
    session sufficient pam_unix2.so
    session sufficient pam_winbind.so use_first_pass use_authtok
    session required pam_limits.so


    (Basically, the exact same pam definitions work fine for sshd, gdm, and login... I have a few other lines in there for stuff like creating a home directory which shouldn't be necessary for samba.)

  3. #3
    Just Joined!
    Join Date
    Oct 2010
    Posts
    30
    ADS security only allows guest for the printers.

    Pam allows guest logins
    You should add
    hosts allow = 10.10.10.0/255.255.255.255 127.0.0.1 We are going to allow the entire 10.10.10/24 network as well as localhost.
    hosts deny = all is to deny any host not listed in "hosts allow".
    For some kind security.

    [public]
    comment = Public Folder
    path = /home/public
    public = yes
    writable = yes
    create mask = 0777
    directory mask = 0777
    force user = nobody
    force group = no group


    No authentication

    Add these lines smb.conf
    After removing authentication parameters
    guest ok = yes allow "guest" access on the samba share. This mean users will _not_ have to log in.
    guest only = yes all machines accessing the shares will be guests.
    hosts allow =
    hosts deny =

  4. #4
    Just Joined!
    Join Date
    Oct 2010
    Posts
    30
    On my file server. I setup samba passwords and restricted
    area for users that login. The public folder are available to
    both guest and domain users.





    Standalone mode

    #========================= Global Settings ====================

    [global]

    local master = no
    preferred master = no
    domain master = no

    #### Networking ####

    #hosts allow = 10.10.10.0/255.255.255.255 127.0.0.1 We are going to allow the #entire 10.10.10/24 network as well as localhost.
    #hosts deny = all is to deny any host not listed in "hosts allow".
    #For some kind security.

    ####### Authentication #######

    passdb backend = tdbsam
    invalid users = root
    passwd program = /usr/bin/passwd %u
    passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
    encrypt passwords = yes
    map to guest = Bad Password

    #======================= Share Definitions ====================

    [Public]
    path = /home/Public Folder
    writable = yes
    create mask = 0777
    directory mask = 0777
    guest ok = yes


    then set dir permissions

    chmod -R 0777 /home/Public Folder

  5. #5
    Just Joined!
    Join Date
    Dec 2010
    Posts
    5
    Thanks for the replies. I'm having trouble figuring out exactly what I should do based on your post (because some of it seems to contradict what I'm trying to do, some of it I've already tried and failed, and some of it is irrelevant (hosts denied or allowed are already set up in my hosts.allow and hosts.deny files)). I think that the "map to guest = Bad Password" line might just help, though. I'll give it a try.

  6. #6
    Just Joined!
    Join Date
    Dec 2010
    Posts
    5
    Hoo... this looks promising. I added the "map to guest = Bad Password" line and it *appears* to be working. I can't test with the non-domain machines until later tonight (or if I have time I'll set up a virtual machine based on one of those machines), but with the share set to guest only, connecting with a domain user and creating a new folder, the folder is owned by "nobody", so it looks good, thanks.

    Not as ideal as being able to authenticate as a local user alongside domain authentications, but it works.

  7. #7
    Just Joined!
    Join Date
    Oct 2010
    Posts
    30
    At this time I found nothing that allows guests on an ADS network.
    My network is set up in workgroup fashion with 5 windows
    systems and a samba server. No domain controller. I mapped samba
    shares as drives on all systems. Using my previous post in my smb.conf
    file I was able access a guest share. I add or modded these lines in my
    config file and set permissions to the share without adding users to my
    linux system. My test windows guest had access to only the guest share.
    The guest could login to the other shares with user and password.


    map to guest = Bad Password
    create mask = 0777
    directory mask = 0777
    guest ok = yes

    chmod -R 0777 /home/Public Folder

  8. #8
    Just Joined!
    Join Date
    Dec 2010
    Posts
    5
    I'm so confused - your three posts all say different things. So, are you saying that you DON'T know of anyway to use active directory and either guests or local (server) users on the same samba config? It seems silly... there really should be a way to get it to work. For one thing, I can't figure out why pam won't work for it. Samba should definitely be able to use pam for authentication, and I can get along perfectly fine with pam for stuff like gdm (and it works fine with both local and domain users), but the same config fails for samba.

    Well, as I said in my previous post, it seems like I might have a working config to allow guest access, but you're saying it's impossible, and it might be true since I have only tested with domain computers so far.

  9. #9
    Just Joined!
    Join Date
    Oct 2010
    Posts
    30
    When you set security = ads in smb.conf file.
    Samba differs to active directory settings and
    ignores pam permissions. So guest acounts
    must be setup active directory.

    I don't use active directory becuase I have some
    XP Home systems.

    What I posted works with security = share.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •